3.8.0 Upgrade Support

npm audit showed some vulnerabilities after upgrade from 3.6.6. Is it safe to run "npm audit fix" or indeed "npm audit fix --force"? Are the vulns from plugins? How do I know which?

# npm audit report

bootbox  *
Severity: moderate
Bootbox.js Cross Site Scripting vulnerability - https://github.com/advisories/GHSA-m4ch-4m5f-2gp6
No fix available
node_modules/bootbox

braces  <3.0.3
Severity: high
Uncontrolled resource consumption in braces - https://github.com/advisories/GHSA-grv7-fg5c-xmjg
fix available via `npm audit fix`
node_modules/braces

request  *
Severity: moderate
Server-Side Request Forgery in Request - https://github.com/advisories/GHSA-p8p7-x288-28g6
Depends on vulnerable versions of tough-cookie
fix available via `npm audit fix --force`
Will install [email protected], which is a breaking change
node_modules/request
  akismet  >=1.0.0
  Depends on vulnerable versions of request
  node_modules/akismet
    nodebb-plugin-spam-be-gone  >=0.4.5
    Depends on vulnerable versions of akismet
    node_modules/nodebb-plugin-spam-be-gone
  coveralls  *
  Depends on vulnerable versions of request
  node_modules/coveralls

tough-cookie  <4.1.3
Severity: moderate
tough-cookie Prototype Pollution vulnerability - https://github.com/advisories/GHSA-72xf-g2v4-qvf3
fix available via `npm audit fix --force`
Will install [email protected], which is a breaking change
node_modules/request/node_modules/tough-cookie

ws  8.0.0 - 8.17.0
Severity: high
ws affected by a DoS when handling a request with many HTTP headers - https://github.com/advisories/GHSA-3h5v-q93c-6h6q
fix available via `npm audit fix`
node_modules/engine.io-client/node_modules/ws
node_modules/engine.io/node_modules/ws
  engine.io  0.7.8 - 0.7.9 || 6.0.0 - 6.5.4
  Depends on vulnerable versions of ws
  node_modules/engine.io
  engine.io-client  0.7.0 || 0.7.8 - 0.7.9 || 6.0.0 - 6.5.3
  Depends on vulnerable versions of ws
  node_modules/engine.io-client

10 vulnerabilities (6 moderate, 4 high)

Great news, but could we have a simple Share to Mastodon button before all that?

@FrankM your nodebb.service file worked and will do for the time being, thanks.
@PitaJ Yes, moving to /var/www helped resolve my issues, cheers.
@B-738 @josef I will try and learn Caddy and pm2 before I gain enough users to have to spawn more processes.
The topic can be marked as resolved now.

@B-738 said in Change user running nodebb & other startup issues:

try to use PM2 https://pm2.keymetrics.io

PM2 does much more than just start an app. Do you think I will need to change NginX proxy settings if I start nodebb with it? What if I increase the number of workers with pm2 scale app x?

@PitaJ said in Change user running nodebb & other startup issues:

You should probably move the NodeBB files out of homeuser's home if You're not planning on homeuser running it.

Yeah, seems so. Could you give me a gist of what steps I would need to take to move nodebb to e.g. /var/www, please?

Changing the user is hard. Perhaps I will remove privileges from the existing user instead.

@B-738 looks great, thanks; I'll try and use it when I get changing nodebb ownership in order.

@Jakub-Urbanowicz
After reverting ownership to homeuser the forum starts correctly.

@PitaJ said in Change user running nodebb & other startup issues:

There shouldn't be a problem with chown/chmoding the files directly, but you could always make a copy first instead.

Yes, there is a problem. I probably need to make some other changes besides chowning the nodebb directory and files, but I don't know what. I get the following errors

nodebb@sv:/home/homeuser/nodebb$ ./nodebb start
node:internal/modules/cjs/loader:1147
  throw err;
  ^

Error: Cannot find module '/home/homeuser/nodebb/nodebb'
    at Module._resolveFilename (node:internal/modules/cjs/loader:1144:15)
    at Module._load (node:internal/modules/cjs/loader:985:27)
    at Function.executeUserEntryPoint [as runMain] (node:internal/modules/run_main:135:12)
    at node:internal/main/run_main_module:28:49 {
  code: 'MODULE_NOT_FOUND',
  requireStack: []
}

Node.js v20.11.0

Thank you for your answers. I'll be trying these changes later today and will report back.

Hi, I've just created my forum at bb.n66.pl using the following setup:

• architecture: arm64 VPS (netcup.de)
• OS: Ubuntu 22.04
• database: Mongodb 7.05
• proxy: NginX as automatically provided by Webinoly
• location: /home/user/nodebb
• coexisting software: WordPress installed using the Webinoly script

Nodebb seems to be working fine and I like it. A big thank you for making it available. But I'm not sure if it's safe running it as a user with sudo privileges. I think I should have created an unprivileged user and set up nodebb as such, which leads me to the following:
Question 1: Would it be OK to change ownership of the entire nodebb directory and its content at this moment when the forum is already set up?
Question 2: I'm starting nodebb with ./nodebb start, but I'm unable to get systemd to start it. I tried snippets (with relevant adjustments for the user and nodebb location) from nodebb docs and other web resources, but they lead to startup failure, or a bad gateway error. Can somebody publish a systemd unit that's actually working?